How we built an automated employee lifecycle system that bridges Paylocity HR data with both cloud and on-premises identity infrastructure, eliminating manual IT overhead and notification noise.
The Challenge
Mark-Taylor Residential manages a large workforce across multiple properties and legal entities. Like many organizations that have grown organically, their IT infrastructure spans both cloud services (Microsoft Entra ID, Microsoft 365) and on-premises Active Directory — a hybrid identity model that adds real complexity to everyday operations.
When an employee is hired, changes roles, goes on leave, or is terminated, those changes originate in their HR system (Paylocity). But the downstream impact touches multiple systems: cloud identities, on-prem domain accounts, email, licensing, and manager notifications. Before our engagement, much of this was either manual or handled by a first-generation automation that had grown brittle over time.
Key Problems We Solved
Notification Flooding
Routine HR updates — pay changes, bulk manager reassignments — were triggering cascades of unnecessary IT notification emails. A single payroll cycle could generate dozens of alerts for changes that required zero IT action. We implemented intelligent change detection that compares incoming HR data against current directory state field-by-field, and only fires notifications when actionable attributes actually change.
Duplicate Account Creation
The original system relied on email address matching to determine if a user already existed. This broke whenever email formats differed between systems. We shifted to using the HR system's unique employee identifier as the canonical match key, with email as a fallback — virtually eliminating duplicate account creation.
Ghost Processing of Terminated Employees
Manager reassignments on terminated employee records were being interpreted as new-hire events, triggering account creation workflows for people who had already left the company. We added early-exit logic that checks employment status before any processing occurs.
Broken Email Templates
IT notification emails had accumulated formatting issues — double-encoded HTML, inconsistent layouts, and missing information. We rebuilt the templates with clean, color-coded designs that surface the right information at a glance.
Architecture: Bridging Cloud and On-Prem
The system uses a hybrid routing model. When an HR event comes in, the orchestration layer checks whether the user is cloud-managed or on-premises-synced. Cloud users are updated directly via the Microsoft Graph API. On-prem users are handled through a serverless function that securely bridges into the on-premises domain controller over an encrypted channel.
This design means a single webhook from the HR system can drive changes across both identity tiers without any manual IT intervention.
Two Automation Modes
Event-Driven (Real-Time)
When Paylocity fires a webhook — new hire, role change, termination, or leave of absence — the system processes it in near real-time. It fetches the full employee record, compares it against current directory state, determines the action type, and executes accordingly. Creates and updates go through an approval step; terminations execute immediately per HR policy.
Scheduled Sync (Nightly)
A separate scheduled job sweeps all employees across all company entities twice daily. This catch-all ensures no changes slip through the cracks if a webhook is missed, and keeps attributes like job title and employee ID consistently synchronized.
Phased Delivery
We delivered this project across eight incremental phases, each building on the last. Every phase was designed to be independently deployable with its own rollback plan and verification checklist. This approach let us ship improvements quickly while minimizing risk to a system that touches every employee's account.
Key wins from the phased approach:
- Eliminated notification flooding from pay and bulk manager changes
- Resolved duplicate account creation through employee ID-based matching
- Added leave of absence handling — automatically disabling and re-enabling accounts
- Built a global error handler that alerts admins with diagnostic information when something fails
- Backfilled employee IDs for 100+ existing users across both cloud and on-prem directories
Backfill: Closing the Data Gap
The shift to employee ID-based matching only works if existing users actually have that field populated. We built one-time backfill scripts that matched existing directory users to their Paylocity records by email, then wrote the employee ID back to the appropriate system — Graph API for cloud users, the on-prem bridge function for synced users. Over 100 users were backfilled in a single pass.
Results
The system now handles the full employee lifecycle — hire, update, leave, and termination — across a hybrid cloud/on-prem environment with minimal IT involvement. Notification noise has been dramatically reduced, duplicate accounts are a thing of the past, and the phased architecture gives the team a clear path for future enhancements like phone number sync and department-to-office mapping.
This project is a good example of how targeted automation layered onto existing infrastructure can deliver outsized value without requiring a wholesale platform migration.
